On Thu, Dec 07, 2017 at 08:23:51AM -0800, george@georgesbasement.com wrote:
> Ever since the Russians started their attacks, I have been keeping
> track of the IP addresses and servers that are making HEAD / HTTP
> requests. [snip]
The place to do this is in the perimeter router and/or in the firewall,
not at the web server. Why? (1) it's easier (2) it's more efficient
(3) it's more effective (4) it covers everything, not just HTTP/HTTPS.
To do this:
First, get the Spamhaus DROP (Don't Route Or Peer) list, along with
the EDROP list:
http://www.spamhaus.org/drop/drop.txthttp://www.spamhaus.org/drop/edrop.txt
They're small. Take a look at them.
Second, get ipdeny.com's list of all network blocks by country:
http://ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
Unpack that and find ru.zone (for your particular use case). Note
that the tarball contains one file per country with a list of the
allocations in CIDR format. Note that this is updated periodically.
(As are the DROP/EDROP lists. Also, they have a second column with
more information about their provenance.)
Third, configure your router/firewall to simply drop all incoming
traffic from the DROP list, the EDROP list, and everything in ru.zone
on the floor. Not even a NACK. Just drop it, and optionally log it.
Fourth, enjoy the silence.
Comments:
1. Everyone should be using the DROP and EDROP lists. They're
extremely well-curated.
2. Moreover, everyone should be using them *bidirectionally*, because
there are no possible outcomes of sending traffic to those networks
that are good for you.
3. I block various countries from various services, and some from
all services. Choose yours based on your operational requirements.
For example, if I was managing a web site for a bowling league
based in Reading, PA, I would block *everything* and then only
allow traffic from us.zone. Yes, this means that someone in Peru
or Portugal or Pakistan couldn't see the web site. It also means
that they couldn't attack it. Probably a good tradeoff for a site
whose entire intended audience is almost certainly in the US.
4. Supplement all of this with individual blocks as the need arises.
5. Yes, all of this can be bypassed with proxies and VPNs and Tor
and botnets and and and. It's not a panacea. But it does take the
edge off, and that in turn makes the remaining problem more tractable.
---rsk
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug